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ABSTRACT 

A description is provided of a conceptual model for a 
data secure system. The discussion first offers a formal working 
vocabulary and next, using the intuitive idea of a dichotomy between 
permissible and impermissible accesses, formalizes the idea with an 
Extended Logical Data Base and with protection specifications and 
patterns. These specifications and patterns encompass the traditional 
identification, authentication, and verification procedures by 
recognizing that these procedures can be compared solely on the basis 
of their answers to specific access attempts. A limited calculus of 
protection patterns is offered, suggesting both comparative and 
generative operators, and a variety of protection specifications is 
defined and demonstrated. Finally, a demonstration is made of the 
fact that it is possible to protect any accessible data in a data 
base with a proposed protection specification which is independent of 
the structure and implementation of the data base. (Author) 
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Preface 



Tl\e projoci on Data Security and Data ScL-iiro Systems was formed In 
the fail of 1972 and funded on March i> 1973. Tlie principal investigator 
of the project is Dr, David K. Hsiao, Associate Professor of Computer and 
Information Science, There are five Graduate Associates and Assistants 
on the project, R.K Baum> N, Kaffen, E,J, McCauiey, C.J. Nee, and S. 
Peden, Present ly> Dr. Douglas S. Kerr, Associate Professor of Computer 
and Information Science, is serving as an investigator on the project, 

Five major research and experimentation efforts are underway, We 
Intend to issue a series of technical reports at the milestones of these 
efforts, Although early reports may be preliminary, we believe that they 
can serve as position papers for the reser?rch being pursued. These five 
research and experimentation efforts are listed as follows: 

(1) A data secure system based on the theory of security 
deadlock, 

(2) Theoretical foundations for context protection and 
consistent control in data secure systems, 

(3) A data secure computer (hardware) architecture, 

(4) Design and certification of data secure system kernels, 

(5) A system for experimenting with access control mechanisms. 

The Office of Naval Research (contract NOOO1A-67-A-0232-0022 , ) , and 
the Office of Science Information Service, National Science Foundation 
(Grant No, GN534,l) are acknowledged for their support in the preparation 
of this study. 

The report is published by the Computer and Information Science 
Research Center of The Ohio State University which consists of the staff, 
graduate students, and faculty of many University departments and laboratories. 
The research was administered and monitored by The Ohio State University 
Research Foundation, 
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A mul t i- li?voJ mvHlol for duta scMMire systems is proposed. In this 
model the relevant Issues^ in data security, such as integrity, privacy pro- 
tection and controlled information sharing, can be studied, on the one 
hand; and the conventional procedures such as identification, authentica- 
tion, authorization, and compartmentalization can be characterized, on 
the other hand. Furthermore, the model allows different problems in data 
security to be considered at a level of abstraction appropriate to the 
specific issue and procedure under study* The highest level is conceptual . 
In it, ^^patterns of protection" (intuitively » ehe ways the users may access 
the data) can be defined In formal and unambiguous ways* The intermediate 
level of the model is stru c tural . Here, the primitives to be utilized in 
the realization of the patterns of protection defined in the higher level 
will be specified. The most important feature of this level is that the 
critical functions of an access control mechanis.:i are no longer carried 
out by complex, and thus potentially unreliable programs, but are inherent 
in the basic structure of "the system by the utilization of deadlocks. When 
a user attempts an unpermitted access, he deadlocks with a "pi^eudo-user" 
and cannot proceed. Thus, thf demonstration of system correctness Involves 
the certification of a limited number of small, single-purpose modules and 
the verification of the correctness of the user/pseudo-user interaction. 
On the lowest level, a system to illustrate the utility and practicality 
of the model will be created. Overall, the research should suggest a mod- 
elling and design technique for a demonstrably complete and correct system 
for providing logical access control in a shared data base system. 

Our present plan for this research consists of three studies. The 
first is to complete our abstract model of data secure systems and develop 
a general theory of data security as proposed. In particular, we emphasize 
the structural level of the model. It is hoped that this level of modelling 
can reveal the inner working of the access control mechanism based on the 
theory of deadlock. With a good understanding of its inner working, the 
access control mechanism can then be properly designed and implemented. 
The application of the theory of deadlock to access control is new. We 
believe that this is the first application. Traditionally, system designers 
attempt to avoid and circumvent the system deadlocks which tie up system 
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resources and uiLILties, ilowcvcr, in our case, we del iberalely tie up 
resources and utilities as a means to deadlock penctrators of the system, 
Obviously, these resources and utllilles are logical resources such as 
files, records and fields and functional uciiities such as data access 
and manipulations, Such deadlock is called s ecur i ty de ad lock . One of the 
basic requirements is that no authorized use of and access to the data 
base wilt cause a security deadlock and any unauthorized use or access will 
cause an immediate security deadlock. This requirement will be met. 
The Part I of this report deals only with the conceptual model. 
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I • I ntrodui' t ion 



Wd now realize that perhaps tlio most important and powerful computer 
appllcattons will involve the use of a computer as an extension of 
the human intellect rather than as a replacement for it. 

[Zschau] 

Computer applications are moving towards this goal with increasing 
speed. One of the ways in which computer systems can extend man's intel- 
lect is through their capability to store and retrieve data. As such 
data base becomes larger, more complete and more com^Tion, the importance 
of protection of the data grows. Without adequate protection, no user will 
ho willing to entrust his sensitive data to the system. Further, no user 
can be sure that the data base is an accurate reflection of reality unless 
we provide sufficient protection of the data base. Running counter to the 
security requirements for protection is a need to provide for sharing of 
data so that users can "build on the work of others." Without sharing of 
data, there is little intellectual value in the accumulation of data. 
Thus, one of the most difficult and perplexing problems is how to provide 
adequate protection and still allow flexible sharing. 

A data base is a collection of data structured in a way to facilitate 
some aspect of its use, such as query answering, update, report generation, 
etc. The exact structure chosen depends on precisely what the intended use 
of the data base is. Increasing amounts of work have been done in support 
of a separation of the physical and logical structure of the data base, 
Such a separation allows users to be concerned with the logical content of 
the data base rather than its physical representation. Data base computer 
systems must have some protection from unauthorized use and destruction of 
the data base. Conventionally, this is done by means of procedures which 
check the legitimacy of certain user actions, monitor the interaction be- 
tween the user and the system and enforce the control of the user's access 
to the data. 

In order to buiJd a model v;hich will allow us to study data security 
in comparative isolation at a level of abstraction appropriate to each 
specific study, we will need a multi-level model. 

The highest and most general level, tlie conceptual model, lets us 
focus on the specification and description of protec tion patterns which 
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v^Mis i i I u{ t i\\t' ri!n<J.H:K'{iM 1 roiunpLs lor dai.i stnurity .iiuJ iiU(\t'rii.y rc- 
qiiireniojits in data ?;ocuri' sy.^tenis. <\mvi'nL lona I pro^-odurcs such as idoiili- 
l ica t ion , vor i f i ca t ion , tUi LhoiU leal tan , au thor i y.al ioi\ and compar Lnienla I Lf'.a 
Lioa sluHild bo easily .-fiaiMr" lor ixod in tonus of pi'oU^'tiiMi pcULonu4, Kur- 
ihori^uuU', clu- raU'.> of those )>roiOduros in data stnuru systcins shouhl bo 
oloariy dollnoalod. With llto oonooptual luvuiol, wo oan then stiuly the ro- 
LitUM\ships anuMiy^ t.l\oso proiH?dure.s and thuir of roots on data sooure systems. 
)^ow procociuros and Lonsisiaiu v.ir i a t l^m-is tiuiy bo foi'T^ed when nov .soovirity 
ami intoprlty pr^)blcms aviso, 

To provide a moans o{ rliuu*ously charact or i?. tr^; t ho various pat torus 
of priJteotion^ the conceptual tiuhjoI v;ill bo a fornal model. Vo define a 
protoot ion relation; 

I) X U X A " {permit » deny) 

wiicro D is tiio sot of io^:loal data in the data base 
V is the set o( users 
A is the set of poss ible aoooss t ypes 

Tlio method of specif Loat ion of which members of D, the set of logirai 
data, are involved is potential ly the most diffioult part for us to do* 
N'over theless , there are solutions vhicii wo shall present in later sections. 

A protection pattern will ho a ]w*is.'i- i !<ed coJ lection of protection re- 
lations. For consistency, the protection patterns thoms elves are part of 
the logical data base. They may be manipulated by suitably au MuMU?!ed users 
in much tlie same way as the rest of the <iata i>ase. The conceptual model 
is, therefvM'o, also concerned wit'a the es t ab 1 ishmon i. of thi* rules by which 
the patterns of protection can be maintained in a consistent and complete 
way. For example^ a given user should not be able to minlify the patterns 
whici) affect hin;^ fi:?r tliis would be tantemount to no security at ail. The 
major thrust of the conceptual model is aimed to provide a well defined, 
easily understood nod el for the characterization of Iv^^^ical data base pro- 
tection. 

The second level, the structural model , lets us examine the prob- 
lems associated with use of the data base and ctunputer system under the 
patterns of protection tie fined in the conceptual model. It is in the 
structural model tiiat the protection meclianisms of the data secure system 
'ivv f^na rar t or i /^od . It is also planned that ll>e clia r;:r t or i ?!a t iotis wm 1 I slun-; 
clearly the wvirking of the mechanisms. 
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Tlio structural luouel Ls malaly LMiu^orttt-a witli the logical implcmenia- 
tlon of the iMMoeptiuH model in terms of a set of primitives by which auy 
priUeotiou patten) defined in Die eonce.ptiinl model may he carried out, 
Meehaniams needed for ropulatinp the implementation of the proteetiou pat- 
tcr\is are called protection mechanisms. The structural approach of this 
model will enable t!ie reader to gain enough Insipju into the design of the 
mechanisms and t\i understand the v^orklng of tlie primitives in relation to 
the mechanisms. 

A crucially important fact of the structural model is how the patterns 
of protection in the conceptual model are to be presented in the structural 
model as a subset of primitives, The most promising mechanisms under con-- 
sideration for regulating the patterns are deadlock-based, The deadlock- 
based mechanisms create for each real (user) process>'« a pseudo-process which 
does not exert any effect on the system, other than deadlocking with its 
process if the process attempts an illegal access, Deadlocl^-based protec- 
tion mecluuiisms have the advantage that checking of whether or not the 
access attempt is legal is an implicit and intrinsic feature of the struc- 
ture of the process/pscudo-process relationship. This feature is in con- 
trast to otlier schemes which require an explicit checking for each request, 
Impitcit checking requires almost no overhead, Furthermore, it is possible 
to verify the correctness of the working mechanisms by verifying their in- 
trinsic structural features and by applying, the theory of deadlock,- 

The structural model is therefore process-oriented with each active 
user corresponding t > a process and the related pseudo-process, The data 
base net ivities of the user can thus be viewed as requests of his process 
and pseudo-process for data base resources. If the request is illegal, 
the process and the pseudo-process will deadlock each other resulting in 
no activity for the user. 

Ln deadlock-based protection mechanisms, many of the conventional pro- 
cedures, like verification and authentication become more a feature of the 
basic structure of the system, than of explicit prot;rams , There is con- 
siderable advantage over more traditional approaches because we can prove 
the correct interactions of a limited number of processes more easily 
than wo can prove the correctness of a set t)f potentially complex programs, 

* The process referred to here has the same meaning as a process in the 
MIT-Muitics or a task in the IBM 370 VS2/Release 2, 



To convincingly demonstrate that the process and pseudo-process inter- 
locking on data base items will create a deadlock situation if and when Iho 
process makes an illegal request, we have the we il-deve loped theory of sys- 
tem deadlock to rely on, Thus> sufficient and necessary conditions In 
which a system deadlock will occur are known. We only need to apply the 
system deadlock theory to security deadlock situation. 

At the thirtl level, the implementation model is concerned with 
practical aspects of actually implementing the model described by the other 
levels. It will be an experimental data secure system for the demonstra- 
tion of well conceived concepts in the conceptual model and o^^refully de- 
veloped mechanisms in the structural model. 



1 1 • The Conceptual Model 



One of the problems that plague us In attempts to study protection 
is the lack of a suitable Iheorel icnl framework to allow for the compari- 
son and analysivS of the many different ideas for providing' protection for 
data base sy^ucms, The goal in building the conceptual model is to 
provide such a framework and to demonstrate its utility, 

We shall try to use a more fornal approach with the hope of arriving 
at more precljie definitions of the model. Nevertheless, there are defini- 
tions wliich must remain intuitive and somewhat 'undefined,' 

'^•^G Physical Data Base is the underlying physical reality 
of a data base, e.g., a reel of magnetic tape, a deck ot cards, . 
a collection of disc tracks, etc. 

The Logica l Data Base is the 3et of all elements of informa- 
tion contained in the POB, Furthermore, the elements of informa- 
tion in LDB are referred to as logical data , 

A Data Base Syste mCs) is (are) the collection of computer 
programs, procedures, and components etc, for the creation, use 
pnd maintenance of the Logical Data Base on the Physical Data Base» 
Examples of Data Base Systems are many, such as IMS, CICS, TDMS , etc. 

Informally, the Logical Data Base is the collection of all possible 
"answers^^ obtainable or extractable by the Data Base System from the 
Physical Data Base in response to ^^questions" by users of the Data Base 
System, 

As s ump t ion ; It is possible to enumerate completely every piece of logi- 
cal data contained in the Physical 
Data Base. 

This assumption often goes unstated since it appears so obvious, If we 
accept the assumption, however, it Js not clear for many data base systems 
how to form the "answers*^ since the enumeration 
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is hnrdly an effictont way to extract tiioni. Never theloss , 
the basis for this assumption is that If an elomeiu of data is capable 
of being "found" iu the Physical Data Hase by Llie Data Base System, then 
it can be eiuimera tod • If It can be enumerated, tlion It can be used for the 
formulation of an "answer' in Logical Data Base, 

The Logical Data Base wiJI occupy the central position in any dis-. 
oussion of protect ion. A major laik in niost Data Base System protection 
capabilities Is the ability" to protect only the Physical Data Ba.^e, rather 
than the Logical Data Base; This lack of more subtle protection makes 
many existing protection capabilities inadequate for modern, multi-user, 
integrated Data Base Systems, The inadequacy wil 1 be greatly multiplied 
since a^ the current research In Data Base Systems suggests, there will 
be in the future even greater difference and separation between the Physical 
Data Bi.se and the user^s view of it, the Logical Data Base. 

Now we define more fv^rmally some of the terms whicli have been fre- 
quently used in data base system technology, 

Def n: A ^sev^ will be the generic term for any agent which attempts to ' 
use the Logical Data Base in some way, 

De f n ! Access is any activity by a user which requires logical data from 
the Logical Data Base and which demands a completion, 

De f n ; An access is denied if it is indefinitely deJayed (never completed); 
otherwise > it is perm i t ted , 

Access may be further subdivided into access typos, such as read, write, 
execute, search> retrieve, etc* We shall leave the exact connotations of 
any particular access type unspecified at tliis point. 

Let us now define some of the terminology more leisurely. The inter- 
action of a user with the Data Base System can be viewed as a series of 
requests and replies, with the system making sorriG requests and the user 
making others. The first dialog is the identif ica t ion procedure , The 
identify and access types of the user are established and retained by the 
system fur future use. Once tlie identity of the user is known, tho. pur- 
pose of a data base system is to use the information in the Logical Data Base 
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in tho roply to i))c> itsorVs roquosts. For every suciv request tho system 
performs on aulhcut ica t i on procedure to determine whether the request 
sliould be permitted or denied , ut il izing the information established and 
retained in the identification procedure. The system then carries out 
authenticated requestvS, As more sophisticated data base systems are de- 
veloped where tlie separation of LogiCiil Data Base and Physical Data Base 
Is evident » more of the burden of searching for the information in the 
Logical Data Base which satisfies the user's request is placed on the sys- 
tem. 

To allow users to access only certain parts of a data hi^se, the divi- 
sion of the data base into logical regions may be requested, Furthermore, 
the logical data base may take on different apparent regions for different 
users. The study of logical divisions/ their access requirements and * 
their physical organizations is termed compartmentalization , in which parts 
of the data base are separated logically and/or physically. For particu- 
larly sensitive parts of the data base, it may be necessary to further 
check on the legitimacy of attempted accesses, These verification proce *- 
dures may be as simple as asking the user "ARE YOU SURE?", or may be much 
more elaborate, It is well to compartmentalize even if especially sensi- 
tive data is not involved. With these "firewalls" the entire data base is 
less likely to be affected if some untoward event (such as physical dam- 
age, accidental destruction^ or illegal access) occurs. 

It is also reasonable to consider the information used in the identi- 
fication, authentication, compartmentalization and verification procedures 
as part of the data base which may be manipulated in the same manner as 
the rest of the data base. An authorization procedure is the only means 
by which this information is created and maintained. In particular, cer- 
tain users (say, the creator) of logical data can authorize other users 
of the Data Base System to access the data by exercising the authorization 
procedure . 

With this discussion, we have the following important notions. 

De f n ; Secu rit y is the prevention of unauthorized use of the data* 

Def n : Integrity is the prevention of unauthorized or accidental de- 
struction or modification of the data. 
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iVl^.^^ .VjVILOII process of tietermiiiing tlie author i?:o(J 

users of tlie Data Base System (and thus the Logical Data Hase) , 
and of deiojmiuiug vlilch acct^sses may he f^orniltted and which 
should be denied . 

Pj?JUi!j?itLl'l.'L^il!i breach In Integrity; Penet rat ion is a 

violation of security. Both of these are caused by the us^5r 
of the Data Rase System and known collectively as interference, 

l^^>\t- e c t io n Me c h a n i s m (or simply, P/j^t-^cc^tJ-^i n ) is an attempt 
to provide security and integrity by means of access control 
and interference prevention, 

l^iat has been characterized is a general data base system witli access 
control and interference prevention, Practical systems embody the procc*- 
dures discussed above in various forms reflecting the needs and purposes 
of the system, Any data base system must have some security and control 
if the user is to place any confidence in tlie data stored and retrieved, 
l^iat distinguishes a data secure system is that the security and integrity 
are integrated into the system, not hung on as an extra module or tvo , 
The protection mechanism of the data secure system is logically complete 
and can be convincingly demonstrated to operate correctly and effectively 
even uMien under strong attack by well equipped (skillful and knowledgoabie) 
penetrators. 

The preceding discussion has laid the forma i basis for the conceptu- 
al model and has also outlined in a somewhat less less formal way the con- 
cepts of most contemporary Data Base System protection mechanisms. Let 
us now first go strongly into the theoretical aspects of the conceptual 
model, and then show how sucli a theory may be applied by demonstrating 
how some fairly diverse protection mechanisms may be described by the 
model, 

Dofn: The Extended Logical Data Base (LLDB) is a sot ,^f triples 

(u ja ,d) 

where 

u is a user identifier, 

ERIC 
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a Is an acccss-lypc Idem If i or, 

CI Is the ldentifi(?r of on olenient of iha l.ogic<jl Diita Base, 

The Kxtendod Logical Data Base is formed by making a triple f<n* every pos- 
sible access to the Logical Data Base by every possible user. Thus, ilie 
FKtended Logical Data Base is a compiete characterization of ail possible 
accesses to tlie data base. Clearly, the Extended Logical Data Base has 
an immense number of elements for even the most trivial cases, Our goal 
is to suggest methods which deal with aggregates of Extended Logical Data 
Base elements, The Extended Logical Data Base forms the foundation for 
any discussion of interference prevention and access control, 

Let us consider the components of these triples in some detail. Not 
too much need be said about the user identifier, since Its meaning and 
importance are obvious. However, our definition of access was quite broad 
so as to include all actions in which information from the Logical Data 
Base is used. Thus, we must consider the connotations of particular ac- 
cess types, A servlcable definition is, "Each access type is a program 
vhich effects a particular variety of access,,,'^ [PopeG73], The access 
type identifiers in the triples are, thus, program identifiers, These ac- 
cess programs range from basic hardware operations through supervisor ser- 
vices to more elaborate user created programs, Finally, we have made the 
arsumption that every element of the Logical Data Base can be identified 
and assigned a unique name, These name^- are the data identifiers of the 
Extended Logical Data Base, 

Defjn: A protection specification is a relation 
p; S -> {permit, deny}, where S £ ELDB, 

Given X c S, p(x) = deny will Indicate that under this protection specifica- 
tion, the access is denied and p(x) = permit that the access is permitted. 

Intuitively, a protection specification is an assertion about the pro- 
tection of the data base system, We do not require that a user who is cre- 
ating protection specifications have global knowledge of the system. He 
can make the specification cover only that Extended Logical Data B.:se subset 
about which he is cognizant. 
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IIILL^* a iV;>!.L^*>'J i*^^^! P^^kL^Jl}! set, P, v^f prott^otion spoclf lcatIo?is 

svioh tliat every triple of the Lxtcndcd [-v>gical Data Base is In 
tho cioriiUn vW* ,it least one spcu^i t'ioat ion. 

Uefnr A proLectivm pattorn, 1\ La oons is tant if every triple ot" the 

Kxtctuied Logical Data Hase which lies iu the domain of more than 
one protection specifications of V is mapped onto the samd value 
by each of the protoction specification in wliose domains 
tlic subset is contained. A protection pattern which Is 
not cvnisLstant will be said to bo iji<L^\t]^^J^iiynit • 

Wc shall assume that protection patterns are consistant unless speci- 
ficaUy indicated otherwise, (Later, we shall suggest methods to resolve 
inccnsistant specifications). In a consistant protection pattern it does 
not matter which protection specification is applietl to an element for 
which several arc applicable because by definition if access to the ele- 
ment is, for example, denied as a result of the application of one of the 
protection specifications (i.e., p^(x) = deny), the access to the same 
elements will still be denied no matter which other protection speclfica-- 
tions are applied, 1/e may simply refer to P(x) , rather than some particu- 
lar P j^Cx) » 

Tim: A consistent protection pattern partitions tlie Extended Logical 

Data Base into those accesses which are permitted (may be completed) 
and those which are denied (indefinitely delayed). 

This theorem is the heart of tl\e conceptual mcdcK U f0rmaii7.es the 
notion that of all the "things" that the users might try to do, the pro- 
lection mechanism, at any instant, partitions the "things" into a set 
which are allowed, and a set which are not allowed. This formalism lets 
us consider all deterministic protection mechanisms In tiie same framework 
because tlie result of aii^ protection mechanism is to return a binary (per- 
mit or deny) result to a user access attempt. Let us dem.onsirate how 
some of tlie existing protection mechanisms may be chcjracteri^^ed by the 
model. 
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I!U l.xa!V4>U>s - Ixistin^; Pfoti-rtioa Mo.'hatusnis 

llxamplo 1; Modolliiv-, Prvaevlion Mcn-luii Lsr.is Hastnl oa an Al'^.'oss IfavriN 
(Crahc:?! , (irahC?:?] . 

Tlie dL'L'oss matrix used by two protccLloti mechanisms may he. cv'jnceptu- 
ali;^vJ (as depict lhI in [ Griahc;? 2 ] ) in the following* fiiuirc: 



Sub ject: 



Sub J'jctrf 
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. | 4^ . 

\ block ; 
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\ read ; 
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: seek 
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i I 



IK 



seek [ 



Fig, 1 -* J'ortio!) of an access matrix 



The access attributes (permitted access types, in our terminology) of 
subject (user, in our termino iogy ) towards object 0. are contained in 
tile (i,.i) entry of the access matrix. For ease of discussion, let us con- 
siiler a system environment in uiilch i/e are only concerned with accesses 
towards files (e.g., F^ and in Fig, !)• Further » let tiiere in' only four 
different at cess types: read, write, update, and delete as siiown in Fig. 1< 

Kacl\ entry o{ the table in Fig. 2 is a in*<Uection spec i : icat ion . Col- 
lectively, the protect iiUi specifications form a protection pattern v;iucli 
[partitions t\\o data base into accessible and inaccessible files. 
In other WL>rdv' , Ih^,^ ralUe depicted in Fig, 2 is tlie protertitM) pattern. 
This example shov;s mi^fiy things. First, tlie conceptual model cat) describe 
tiie access matrix in a natur.'l, even trivia) way. Second, the FxtondtH) 
Logical Data Base lias an impossibly large numljcr of elements. Finally, it 
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Tb.e Portion of an Access Matrix as 
Characterized in the Protection Pattern 
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sliDukl ho noted tluu acces;-> nuitrtx hi sod protect lou mei..nUsnis as dis- 
cussed ill [c:rahC7l) wore ru^tnly concerned with the protection In operating 
systems >/here the file-like ohjecls were coniparatlvefv fev; In number and 
were the sume for every user (i.e., protection was limited to the Physical 
Data Basp), In general nUther of these two assumptions Is true for Data 
Base Systems, which deal with the Logical Data Base, 

Kxample 2; Modeling Protection Mechanisms Based on Capability Lists, 

In essence, a capability list (c.llst) is one row from the access 
matrix. Many different definitions for c. lists exist. We, rather arbi- 
trarily, will use the one found in {DennJ66) : 

Each capability in a clist locates by means of a pointer some 
computing object and Indicates the actions that the computation 
may perform with regards to chat object. Among these capabilities 
there are really several (memory] segment capabilities, which 
designate segments that may be referenced by the computation and 
that give by means of access indicators an indication of the kind 
of reference permitted, . , 

Although the definition of clist confines the protection to memory pro- 
tection, we will allow more liberal interpretation of the term 'segment.* 
Let us consider these segme 'rs as files. The characterization of a clist 
based protection mechanism by the conceptual model is again relatively 
trivial. Considering only the files, let us first characterize access 
matrix in Fig, 1 as a clist. 
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Fig* 3 - The Rows of an Access Matrix as 

Characterized by Capability Lists (clist) 



fliecllst syston^ muy bo modirieil t^v compress out the null unirloSi How- 
over, this luis no effect on the concept of either the c.llsi or the eon- 
cef>tuol nuKtel, '[^' ri.ip r,lu=t-^ lo the protCL'tion patten* of tlio conceptual 
m<>de!, we f>llin; I he following procedurei Kverywherc that the c.list 
gives the usi»r u capability to reference si)mo segment, locate the r.xteluled 
l.ogit'at Data Base element (consisting Identifiers of the user, aeces.s 
typo and segment ) cor respond Ing to thai segment. There will be such an 
element because we have oxpli.cltly defined the llxtended Logical Data Base 
to consist of a 1 1 poss ible accesses , Next assign the value 'permit^ to 
iIk> olen^ent (I.e., = pc»rmlt), In other words, we have just formed a 

protection specification of the element to which access Is perml t ted . When 
all ihe c. lists have been exiiausted, we luive obtained aJ 1 the possible 
elements to v;hLi'h accesses are allowed, FlnaJly, assign all the other non- 
referenced elements wlt!\ tlie value deny (I.e., P(x) = deny), Thus, the 
niMi-ref erenced segments are not accessible. V*e have now a protection pat- 
tern in the conceptUfil model correspond in,^^ to the c.list, 

Example 3: Modeling Protection Mechanisms Based on Authority Items, 

het us <'onsider one of tlie first systems to Introduce logical aicess 
ciHUrol, subfile protection and user-created control jiroccdures {Us iaIJ68a , 
l[siaD68bl. Tfie basic system protection mech-jnism uses capability lists 
wiiich are called vHitlu^ri^y ijLem^, One authority item is assticiated with 
each user. The file --f authority items is itself maintaltKnl wx\ch like 
other tiles on the system* The system is notable in its ability lo offer 
prv>tection of arbitrary sabfLles, Ti\ese svibfiles are defined not by physi- 
cal parameters hut ratlier by logical descriptions, such as Boolean and 
arithmetic expression of key words and symbolic names. Within the authcu-ity 
item, lo^vical expressions ituiicate for eacli file which re<N)rds are inac- 
ce.^sible, which are temporarily blocked^ v/liich are presently openod for use, 
etc. As rervird is retrieved in response to a user quer;', it is prti- 
cessed against these l<^gical expressions to determine whether it should 
be output to the user. Figures and 5 (from [MslaoDfSJ^b) ) illustrate 
these system features. The user Is permitted to create a procedure 
associated with the file which lie tn^-ns , This procedure v/ould be invokud 
whenever access to the file is initiated by any user. 
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Sucli procedures can bo arbitrarily coinplox, the only couHtraint belnft 
that the procodure return a 1 or 0 to the system Indicating whether the 
accojss to the fllo Is to bo pormlttod or denied, Tliis Idea is expanded 
npon In (Hoffl,70, lloffL71| and subsequently became known as formularies. 
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The sets of records In a file specified by three types of loc»ical 
description, 
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Fig. 5 - Pxpression Validations in Record Access 
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Example 4j M^)cU']lng TroU'ction Moolianlsms Based on Formularies, 

I'orhjps tlu' mosi (lifrfriilt pvotcotion riochaiUsins to he chariic ter t?.ed 
in the conceptual model are the oacs ba^^cd on the uscr'-defined authoriza-^ 
t ion/vori f lea t ion procedures i These procedures are termed f ormula ries in 
[Hof fL/O, llof f L71 ] are are also adopted In [CODAS?!]. Essentially, a user 
could create whatever procedures he v;ould like, and is allowed to have 
such procedures invoked at various phases of data base activity. TIius , 
access to data is determined by these procedures. One reason for the dif- 
ficulty in characterizing procedural mechanisms in the conceptual model 
is the lack of definition of the procedure (i,e, , formulary) itselfi It 
is also not clear what is the environment for the invocation of the pro- 
cedures. By tliis we mean what are data that are accessible to the proce- 
dure in order for the procedures to determine whether to permit or deny 
an access attempt, 

Fortunately, the conceptual model is only descriptive in nature. 
Thus > we are not concerned with hcn^ a decision to permit or deny access 
is reached; rather, we only want to know what such a decision is* In 
effect, we could build the protection pattern equivalent to a given pro- 
cedure (formulary) by "running" (or executing) the procedure on every ele- 
ment of the Kxtended Logical Data Base, Intuitively, then, we can char- 
acterize procedures (formularies) in terms of the corresponding conceptual 
mode?! protection patterns. 
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IV» Four types of Protectton Specifications 

Hiroughout the preceding discussion we have Ignored two areas because 
we lacked the theoretical tools to deal wltlr them. First, how do we 
resolve the protection of subsets of the Extended Logical Data Base which 
are assigned different protection by different protection specifications? 
Second, how do we get an orderly characterization 6f the creation, alteration 
and destruction of protection spocifications and patterns? In order to 
tcoat these questions in a thorough way, we again develop some definitions! 

Defn; The user extraction operator U returns for an element x of the 
Extended Logical Data Base the user identifier of the element. 

U(x) «■ user identifier 

Defn: The access type extraction o p erator A returns for an element x 
of the Extended Logical Data Base the access-type identifier of 
the element. 

A(x) « access-type identifier 

Defn ; The data extraction operator D returns for an element x of the 
Extended Logical Data Base the data identifier of the element. 

D(x) « data identifier 

We also adopt the following notations. Lower case x aAd y will 
denote elements of the Extended Logical Data Base. Lower case p and q 
will denote protection specifications while upper case P, Q and R, 
possibly with subscripts, will denote protection patteirns. Recall that 
the difference between a pattern and a specification is that the domain 
of a specification is a subset of the Extended Logical Data Base while 
the domain of a pattern is the entire Extended Logical Data Base. Finally, 
the set of all possible protection patterns over a given Extended Logical 
Data Base will be denoted by ^. 

Now we make some definitions of relations between protection patterns. 
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PsL^l* '^^^^ protection patterns, P ^nd Q are o q un 1 > P » Q if Vx (P(x) « 



In order to define a partial ordering on t^; ve will say that for a, b 

t {deny, permit} a b means a =» deny or b « permit. Tlien we say that a 

R^ttern P Is a restriction of a pattern g^, V M Q, if Vx (P(x) r: Q(x)), 
Informally, p e q says that 

a) There are some of the Extended Logical Data Base subsets which 
are pennitted under Q but denied under P, 

b) Tliere are no subsets which are permitted under P but denied 
under Q. 

can conceptualise restriction as a partial ordering on the "strength" 
of the patterns, that is. 

a) P < P for any protection pattern, 

b) P < Q and Q < P inplles that P - Q* 

c) P < Q, Q < R implies P < R* 

It is also possible to define the dual concept, is^ an expansio n of Q, 
P _> Q, meaning Q P. 

Given two protection patterns P and Q we define the greatest lower bound 
(gib) of P and Q, S = gib (P,Q) as follows 



A similar definition for the least upper bound (jUib)^, = lub (P,0) is 
also possible, 

Tiic gib and lub can also be defined for specifications. 



Q(x)). 




deny, if P(x) or Q(x) = deny , 
permit, if P(x) = Q(x) = permit. 




/ 



deny if p(x) or q(x) - deny, 
permit if p(x) = q(x) = permit, 
undefined if pCx) and qCx) arc undefined. 
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Tiie ylb unci Jul) characterize two constructive operations, since neither 
is necessarily equal to cither P or Q, Thus both gib and lub represent pos-' 
>lbLiitios for resohttion of the protectiott of subsets in prbtectlon pattorns 
which are hot cousistant» Another facet of this resolution is that it Is how 
we can create a con&lstant (global) protection pattern from potentially not 
conslstant (local) protection specifications. In attempting to make a con- 
slstant pattern, we may be fortunate enough that th;! Individual specifications 
arc conslstant and that they cover the entire Extended Logical Data Base. It 
is more likely that one or both of these conditions does not hold. The question 
is, then, ^^How do we solve these problems?" First, let us consider the situa- 
Lion in which some of Extended Logical Data Base subsets are in the domain of 
no protection specification. Here, an essentially arbitrary decision on 
whether to permit or deny such accesses must be made. Such a decision cre- 
ates, in effect, a protection specification covering these subsets • The 
problem of two or more specifications giving the same subset different incon- 
slstant protections is far more difficult. The best working hypothesis is to 
suspend any access and refer such problems to a higher authority. This restric- 
tive strategy corresponds to taking the lub of the contending specifications 
because if they differ it is because one says to permit access, and another 
says to deny it. Intuitively, it seems best to suspend the access while 
waiting for the higher authority, to decide, because such actions can be simply 
reversed. On the other hand, once access has been incorrectly permitted, 
there is little that can be done to reverse the action, Such a higher 
authority may well be one of the users. It should be remarked that the 
resolution of inconsistant protection specifications is really the more 
philosophical question of how do we arbitrate between two conflicting re~ 
quirements in system design. Each of the specifications is an assertion 
about the desired protection of the system, For this reason, no mechanical 
procedure for such resolution was suggested* The method suggested repre- 
sents a compromise. By suggesting that some decisions can only be made by 
mechanisms and people outside the model, we endow it with great flexibility* 
Those decisions about which no controversy exists will be made meclianically 
and routinely. 

To have a complete system we introduce two artifices which we shall 
employ later, 
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'^^^^ ^.^m^Xli^K^JX P.i\o,t.cy ted daj a tvlj\n;£iU o^^ is defined suoh tha^t 
for t^very triple (u, a; o^) in tho Kxtonded Logical Data Rase, 
l'( (u »c ) ) " donv , 

JMiiv >;i,^Jia^l^^^^\iy *i:^:yy..^^MiK^ dji^Ai ^,lj-Ji<Lni» i« dof incci such 

that lor every triple V(u, a, i}^) in tho l^xtended Logical ])i\la 
Base, P((u,a,ej)) =» permit. 

Kotli definitions hold for any protection pattern, P, They give us a known 
property opon wlUch we can depend. 

All of the above formalism would be rather uninteresting if it could 
not be related to the practical considerations of system design. Recall 
that we are attempting to create a formal model for description and dis- 
cussion of a wide variety of protection schemes* It Is >Asy to lose sight 
ot this and fall into a pedantic discussion of esoteric properties of the 
model. We have developed the notion of the protection pattern as the central 
descriptive means, By showing protection patterns to be partially ordered 
under restriction we were able to motivate the gib and lub as operators. 

Now, we shall consider a more basic question, how do we create and 
modify the specifications which make up the patterns, 

Defn: A context-free protection spe cif ication is a protection specification 
which does not depend upon the previous access attempts (permitted or 
denied) by any of the users governed by the specification. 

We shall initially restrict our discussions to such niemoryless speci- 
fications, since th?y are tiie most basic type, 

V\fy most primitlv^^ specification giv^es the protection of a single 
Kxtended Logical Data Base element » (u, a, d) : 

TVPE.l((u,a,d),{j-^.J,. 

It should be obvious that, formally, this single operator is sufficiently 
powerful. Other operators will thus be measured against tids one for 
flexibility. However, it sliould also be obvious that this operator is an 
awkward way to specify the protection of more than a few elements. Moreover, 
to create such specifications, the user must know explicitly all the users 
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iuul access lypovS to bo ^•.ovt'rnoil by tiiu spec I f tcatlons , an uiuiesirable 
fcaturo wluch violates our assertions about global kuowlodp.e, 

Tiie next sti'p lu flexibility is to al hnv the specification lo cover, 
a subset » S» of i'xteiuleil bogical Data haso» rjtber thun a sIn).Mo elenienf, 

We v^lvservc that Lu naming a subset tliere is the practical pri^bleni of Jes- 
ci'ibin^> the subset to the protection system, Certainly, we sliall not want 
io describe the set by enumerating its elements since we are no better off 
thun vitli tiie TYl'I!,! protection specification, We can ameliorate this prc^b- 
leni by restrict invT tiie type of subset to one whicli can be described by 
parair.eleri^iit Ion, For example, tlie set definition {x|x > k} implicitly ere- 
at:es a set selection function with parameter k indicatln^^. vi^ether or noi the 
element is a riember of the subset. Although we would he somewhat premature 
LU specifyiny^ the set select inn functions wiuch v;e siiall use at tins jjoiiu 
of discuss ic»n, v;e nevertheless stipulate thai Vheneven S is used In a protec 
t ion specification TYPM,2, there is j set selection functiiMi of a few pa- 
rameters assvH'iated with S. U'e shall continue this dssumpti^Mi throughout 
the rest of our tliscussion on the conceptuai model. 

Hie Ti?E,2 specification enables the user to choose S such that every 
element of S has the same protection. What we would now desire is to relax 
chis by allowing the user to specify that some subset is to be protected 
^'like'^ some other subset S^^ First we must define what we mean by "like^\ 
Let f be a function from into S^. Then for xeS^ we define p(x) to be 
p(f(x)) which is already defined since f(x)tS^ and p(y) is deiined for all 
yr-S^. 

Since f maps into S^, the specification can actually be .simplified 

to 

TYPE, 3 (Sj^,f) , 
A examole of one such function is 



fj ((u, a, d^)) = (u; a d^) 
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With siu'li J function wc can permit ond tlony the same set of accesses to 
two different data elements, That is, if p(u, a, d^) = porinic, tlien 
p(u» a, dj) - periMlt» For tlio same user u tlie data element d^ is protected 
with tlie same a'M-ess attributes as the data element d,^. Obviously, we 
would like to extend this idea to other elements of the triple, for example, 
to give one user access privileges identical to those of another user, or 
to say that users may have a,^ access to some data element only if they have 
aj access to tlie element. Tlie following general function can bo used for 
all of these situations* 



f (xj u^, Qy d^) 



ru(x), if u^ « null J fACx), if « null 7 

f ^ ^ 

u^, otherwise J ^ aj , otherwise 



D(x), if d^ « null 



'dj^, otherwise 



where x t Extended Logical Data Base. 



Let us consider the following specjal cases of f for x = (n^^» a^, d^^), 
an element in Extended Logical Data Base. 



Case 1: 



f (x; null, null, d^) - (U(x), A(x), dp 



But 



IKx) = u 
A(x) == a 



so ' that 



fj (x; null, null, d^^) = (u^^, a^^, dj) 



Intuitive Iv. this function indicates that for the user u the data 
• o 

elerf^ent d can be accessed in the same a manner as data elepient d,. 

o o 1 



2U 

Case 2 ; 

f (x; null, null) « (u^, A(x), l)(x)) 

This function says that the user u will have the same a access as 

the user has to the element d . 

2 o 

Case 3: 



f (x ; Uj^, a^, null) « u^ gj^, d^^) 
This function says to make user u 's a access to data d the same as 

0 0 o 

user u, a. access to d • 
1 1' o 

It is, of course, possible to define many such functions, But first 
let us show how some common protection requirements can be translated into 
protection specifications of TYPE. 3. Typical systems have a default pro- 
tection for newly created objects. One of the strengths of our model is 
that a wide variety of methods can be used to achieve the same end, One 
way to get the default protection would be to explicitly specify whether 
each access was to be permitted or denied, using 1TPE,1 specifications. 
Another way would be to group the permitted and denied accesses into sub*- 
sets and use TYPE, 2 specifications. This subset grouping would be fairly 
easy since, in general, the default rules are quite simple. The most 
natural way is to introduce another artifice. For each user we shall con- 
sider a default data object, d jgfg^jj^^.» such that the protection of newly 
created objects is "like^^ that of the default object, unless otherwise 
specified. More formally we have the following specification: 

TYPE. 3 ({x!d(x) " d^^^}, f (x; null, null, d^^fg^^^t^) 

That is, give every access of the form (u, a, d^^^) the same protection as 
the corresponding access (u, a, ^jefault^ * ^^^^ default specification can 
be changed, should the user desire, effecting only subsequently created ob- 
jects. We can new close a potential loophole. The tacit assumption was 
made that the function mapped elements to other elements whose protection 



was defined, If wc uso tills default Idea for oacli lunvly created object, 
there wtll be no accesses for which tlie protection Is tinde fined. 

Let us consider one more type of specification. If we allow multiple 
valued mapplnp,s soiae additional possibilities occur, A user can create speci- 
fications that say '*^>oirull llils iccows if any of these other accessps is 
denied," We sliall use the following new specification 

TYPi:.^^* (S , F , OP) 

wliero S is an Kxtended Logical Data Base subset, 

F is a finite set of functions (f^ f^y ...) miipping the Extended 
Logical Data Base into itself, i,e,, 
t^: LLDB KLDB. and 
OP is gib or lub. 

Tiie specification operates as follows i 

p(xcS) « OP(p(f^(x)), pCf^Cx),...) 

recall tPat the gib will deny an access if it was denied under any of the 
specif icat ions ^ and lub will permit it. 

It is certainly possible to define other, mtire elaborate, specifica- 
tions, However, one reaches a point of diminishing rettirns in tlie ability 
to apply them. 

V. The Data Base Protection 

The preceding development of protection specifications made no explicit 
use of the fact that we are dealing witli data base systems. It is here that 
the present work makes a sharp difference from other efforts whlcli were 
primarily concerned wltli protection in operating systems. Tliough certainly 
no less significant, the problems of protection in operating systems are 
different from tliose of data base systems. First, oven a large multi-user 
operating system is concerned with the protection of a small number (like 
hundreds or at most a few thousand) of relatively large objects , the majority 
of which are some kind of physical resources such as (iisks and memory seg- 
ments, A data base system is concerned with large inimbers (len.s of thousands to 
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mflllona) of relatively small (tens to hundreds of words) objects such as 
the records and fields. Second, in an operating system the objects are 
mostly unrelated to each other, and wnere sucn relations exist between objects 
they are fairly simple. In moden\ data base systems a large variety of re- 
lations exist between objects, indeed, this is a fundamental purpose of data 
base systems^ to allow the ret^'ieval of Information from many different 
objects based upon some relationship or affinity among rhose objects. Thus, 
a data base protection system should, even must, use those relations to 
provide or enhance security* 

In order to emphasize the relationship among objects of data base 
systems, a more formal model is needed* Although the topic of data base 
modelling has been an extremely popular one in recent years, reflecting the 
very real need for such formalism, we do not need the complexity which 
characterizes many of the models proposed, 

Tlie following terminology and ideas are mostly derived from (HsiaD70/ 
WongE72) and are needed to express relations among elements of Extended 
Logical Data Base. 

We start with two undefined terms: a set A of ''attributes'* and a set 
V of values. We shall leave these undefined to allow the broadest possible 
interpretation. 

Defn : A record r is a subset of the Cartesian product AxV, in which each 
attribute has one and only one value. We can consider r to be a 
collection of ordered pairs: (an attribute, its value). 

Defn: An index for record r is a set of its attribute-value pairs which 
collectively characterize r. 

For practical reasons we usually desire to choose pairs which are succinct* 
We shall call the ordered pairs in the index keywords > In the discussion 
which follows we shall denote keywords by K^. From the definition of index 
above, we can characterize r by the keywords of its index* 

Defn: Every record is assigned a unique address , 

In practical systems, the address may give locational informationi 
but we shall not concern ourselves with such specifics at this polnt» 
all we need is the uniqueness. 
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Do fn; Associated with each kcywork K in record R is the address of anotlier 

record with the same keyword. We shall call this the poln.te r pf_ ,r with 
respecc to K or briefly the K -pal titer, We allow the existaace of 
luill pointers to retain the uniformity of definition. 

P.?jLP/* records with respect to keyword K (or briefly a K- 1 1 b;^t ) 

is ci set of records each containing K such that 

1) the K-polnters 4>re all distinct, 

2) each non-rAill K-pointer gives the address of a record 
within L and L only> 

3) there is a unique record in L not pointed to by any other 
record containing K, called the beginning of the list, 

A) there is a unique record in L with a null K-pointer, the 
end of the list . 



We may view this organization as a directed graph. The set of nodes 
corresponds to the set of records. There is an edge from r to r' for each 
K-pointcr of r that is equal to the address of r*. We can label these edges 
with their associated keyv;ords . From tlie definition of K-lists, no cycles 
exist in which every edge has the same label, 

Pef n ? A set F of records is called a file if every K-list containing one 
or more of these records is contained in F. Every file is assigned 
a unique fil e name, 

be the set of all records containing keyword K^, 

De f n : Let A(K^) be the addresses of the records in R(Kp » 

Clearly, for a file F of m keywords we have 

We shall say that a keyword K is tru e for a record r if the record contains 
K, Thus , every Boolean function f (K^ , . . . , K^) is either true or not true 
for each record, R(Kp is then the set of all records for which is true;;: 
Further, we denote to be the set of all records for which. is not U 
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Similarly: 

R(K^) 'J R(K|) = frccorJs for \<\\lch (K^ or K^) is true} 



and 



R(K^) n -'UKj) « (records for which (K^ iUul Kj) is true) 

Fxieiul Q ^ {K(K^), 1 « J, 2, i,., n} to a Boolean i^^gcbri^ B(Q) by 
taking unions (U) , Intersections (H) and complements (-) , It is then 
clear that any data base query can be answered by one element of B(Q) • 
Define Cj , , as the 2^^ intersections of the form 



n 



n 

n R*(K.) where R»V R or R 
1 = 1 



and assume the are numbered so that Cp are non-empty and 

^nH-1' ""^2 empty, 

n . 

Dehi: C^^, C^, defined above are called the atoms of B(Q). 

It is then easy to see the following 

Theorem t Let , , be the atoms B(Q), tlien 

1) CjCB(Q) for J - 1,2,. ..,m; 

2) Cj and are disjoint if j ?^ k; 

3) IJcB(Q) implies tliat for each J, UflCj is either empty 
or is Cj . 

A) Every UeB(Q) is the union of some of the 

Intuitively, the atoms arc the elementary expressions of keywords 
which characterize the elements of the logical data base. Thus, with the 
development of the atoms we have a means of explicitly characterizing the 
Logical Data Base, These ideas wilT be illustrated in the next section. 

In our early assertion, we stated that it was possible to enumerate 
every answer to any question that the user could put to the data base. 
Thi$ result can be achieved by cliarac terl zing any arbitrary subset of the 
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!.i)>Ucul Data hase as a oolloction of atoms, Pur tliormore , It is possible 
to cotupletely characterize a protection pattern as either the subset of 
permitted or of tlenled accesses, In other words, vo can make another 
assertion concerning protection patterns • It is possible to specify pro- 
tection patterns on any subset of tlie Kxtended Logical Data Base for the 
purpose of either permitting or denying the access to the subset, The 
assertion goes without sayitig that every retrievable item in the Logical 
Data Base may be protected since retrieval specifications are like TYPK,3 
specifications, Although this statement is simple and basic, it is funda- 
mental. It offers the complete p rotect ion of every possible element in the 
data base whether the elements are small fields, large files, data or pro- 
grams, Again, the Impact of such formalism is that it allows us to prove 
the assumption that we can find every piece of data in the Logical Data 
Base, 

In order for a system to function as described, it must meet the fol- 
lowing requirement. 

Design Requirement ! The only source of addresses is the K-pointers, 

No user can fabricate or modify addresses. 

Without such a requirement, a user could supply fabricated addresses and 
circumvent any controls on the data base» 

Now we can introduce a new type of protection specification in the 
conceptual model. 

( permit 
TYPE. 5 (U, Q, ] i ) 

( deny 

where U is a set of users 

and Q is a Boolean expression of keywords. 

Note that this is a logical protection specification, and that the specifi- 
cation is posed completely in terms of the users view of the data base, 
l.e; , Boolean expression of keywords . It may be that the set of records 
satisfying Q is null, in which case the specif ication has no effect . 
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Vl • All Kxample of l)ata lUiso Protection Spocl f Icat ItMi 

Lot lis I I luss I rdti* the liso of the TYPK.5 protection specification 
wltU a slmplo example as follows: 

A small data base consists of ten records which are characterized by 
four different keywords, Tlie record addresses and their keywords arc de- 
picted on n^, 6 and the structure of the data base is depicted on Fig, 7# 
For the structure, we use the numbered circular node to denote the record 
at the address so numbered, Along with each edge directed to a node tliere 
is a keyword Indicating that the node (therefore, the record) is charac- 
terized by the keyword. If there are several edges directed to a node, then 
the node Is characterized by several keywords, For example, the record at 
8 is characterized by keywords, Kj^, and , Obviously, Fig, 7 is a 
graphical representation of Fig* 6, In this discussion the directory is a 
special node which can only be accessed by tlie system, thus no keyword 
leading to the directory Is known. In general, directory may be rettords; 
access to and protection of directories can be handled in the same way as 
records. However, for ease of discussion, we shall not consider the gen-- 
eralizatlon In this example. The atoms of the data base are listed on 
Fig. 8. 
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Fig, 6 The vRccords of a Data Base 
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Fig. 8 The Atoms of the Data Base 




Now consider the following specification of a protoctlon pattern J 

TYPK.S ({Ul}, Q, deny) 

where Q - a ((K^ a K^) v (K^ a K^)). 

Tl)ls specification indicates that the system inust deny user Ul access 
to any record in the data base for which Q Is true* Tlius, this user has 
only a portion of the data base for access and his view of the data base is 
depicted In Flg» 9 . Let us elaborate on the last remark. The Boolean 
expression Q can be decomposed Into disjunctive normal form as follows: 

Q « K2 A ((K^ A ic^) V (K^ A K^)) 
« (Kj^ A A K^) V A A K^) 

^ (Kj^ A A A K^) v (K^ ^ ^2 A A K^) y 
(K^ A K2 A A K^) V (K^ A K2 A K3 A K^) 

By comparing the above four conjuncts derived from Q with the atoms of 
the data base listed in Fig» 8> we learn that only the conjunct (Kj^ A 
^2 ^ ^^3 A is an atom% Furthermore, we learn from the same Fig* 8 that 
the records for which the atom is true are the records at 2* 7 and 10. Thui 
we can conclude from the I'YPE.S specification that the user 131 is to be 
denied access to records at 2, 7 and 10. Thus, the user Ill's view of his 
data base, as depicted on Fig. 9, does not Include the records at 2, 7 
and 10. 

The use of atoms to partition the data base into mutually exclusive 
subsets for protection specification is powerful and effective. It is 
powerful because all retrievalbe information can be protected. Since 
any data retrieval is a response to the user's query and a query is a 
Boolean expression of keywords, the same expression can be used for 
protection specification, tt is also effective because the atom is a 
logical specification which is independant of the structure and imple- 
mentation of the data. The reliance on keywords is not a restriction ; 
since keywords may be either symbolic names in their most sophisticated ^^^^^^^^^je 
form or numeric indentlfiers in their primitive form* 
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VII, Access Typos 

As we Indicatcui earlier^ to be a useful model , wo vShould be able to 
accommodate a variety of different access types, The following considera- 
tion will load to a more \inlfied treatment of access types, For each 
record we allow the possibility of a special attribute-value pair, (proc, 
name, proc) where proc is a procedure, VHien a record with such a proce- 
dure is accessed, control is passed to the procedure. The procedure uses 
only the information in the other attribute-value pairs in the record. To 
achieve uniformity of definition we shall assume that every record has a 
proc »name-proc pair, although it may be null, Further, such pairs always 
have null pointers, 

Thus, the particular access type for a given node is dependent upon 
the path followed through the data base in getting to that node. Tliis 
solves the problem posed by multiple access types to the same data element. 
The particular path followed is of course determined by the Boolean expres- 
sion of keywords supplied by the user. However, in this way the Boolean 
expression not only determines the set of records to be accessed but also 
the types of access to be Involved, The following example demonstrates 
the utility of this formulation. 

Consider a situation in which the users can be divided into two dis- 
joint groups, A and B, Those In group A are skilled and trustworthy and are 
thus to be allowed free access to the data base, Those in group B are 
more suspect. We therefore desire to make a record of every one of their 
accesses. The data base may be structured as follows 




ri 



Lach usei" in >',roup li must make all liis accesses Lhrougli the aiulltlng pro- 
cedure, which has a pointer to the normal search procedure, the directory 
node. i)n tlie other ha^d , ^'loup A may access the directory node directly. 

Tn this new formulation, the directory is not merely an entry Into 
tlie data hase, but also a node at which the normal search procedure is 
triggered. We term this the directorj^^ is shown in the ex- 

ample, it n^ay be tiesirable to incorporate more than one entry into the 
data base. We shall term all these entries as gate no de s , Recalling an 
earlier discussion of basic terminology, we see now that the function of 
the ident if icat ion procedure is to direct the user to the proper gate node. 
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VU 1 . Sumimu-y 

Let us conclude our discussion of the conceptual model by summvirlzlng 
what we have done* 

The dLscusslon was started by formal and contextual definitions of the 
working vocabulary. Using the intuitive idea of the dichotomy of all pos- 
sible accesses between those which are at some Instant permitted and those, 
which are denied, we formalized the idea with the Extended Logical Data 
Base and protection specifications and patterns. These specifications and 
patterns encompass the traditional identification, authentication, and 
verification procedures by recognizing that these procedures, though possibly 
so complex as to preclude meaningful analysis, can be compared solely on the 
basis of their ''answers" to specific access attempts. We developed a limited 
"calculus'* of protection patterns, suggesting both comparative and generative 
operators. Finally, we defined and demostrated a ariety of protection 
specif icationt;. Most significantly, we demonstrate that it is possible 
to protect any accessible (or retrievable) data In a data base* The 
proposed protection specification (TYPE»5) is Independent of the structure 
and implementation of the data base* 
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